Solution Showcase: Reducing Risk Through an Effective Cloud Security Strategy with CrowdStrike
Episode 10319th July 2023 • This Week Health: Conference • This Week Health
00:00:00 00:31:18

Share Episode


This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

what you're looking for is really a partner that's going to help you adapt that as it evolves. As the adversary evolves, right?

I mean, because these adversaries, they're continuing to evolve and to go places and attack things that didn't used to be attacked before.  

All right. Today we have a solution showcase and we're going to talk about the cloud and security in the cloud and what's going on with health care security in the cloud. We have two great guests. We have Robert Cantu Director of Cybersecurity Operations, Inova Health System, and Todd Felker, Executive Healthcare Strategist at CrowdStrike.

hen I came into healthcare in:

t three to five years back in:

the middle has started to adopt and even some of the late adopters are starting to adopt, but that leads to an awful lot of things. And we're gonna talk about cyber security and Robert, I'd love to start with you. You know what are some of the key factors that have that are driving health care and specifically your system to the cloud?

Well, a number of factors are the length of time it takes to acquire equipment supply chain issues. So to go into the cloud is very quick, very easy. It's not not very challenging at all in that regard. Once you get your initial setup in place, your security, your elements there.

The clinicians, the imaging components of the hospital a lot of horsepower to be able to turn on horsepower and compute when they a couple of things that need to happen. And lastly standardization. So it take a lot of work to move a lot of hospitals and a lot of field offices over from 1 platform, say, Windows 7 to Windows 10 or Windows 10 to Windows 11.

There are benefits to the scale. transitioning that up to the cloud and then working through virtual desktops to achieve some of those goals much faster, much less wear and tear and a more consistent baseline image that you're working with in that

space. So Robert, let me see if this resonates with you when I was CIO.

The data center team came to me and said, we need a million dollars for new PDU's power distribution units. We need I forget what it was, but the total was about two and a half to 3 million. And they said, we need this money. It wasn't budgeted for, and they wanted me to go to the executive leadership team and say, look, we need two and a half million dollars for PDU's and some other stuff.

And I just looked at them. I'm like. I'm not doing that, like it's, we're not going to keep building data centers. Given the fact that we have to, we have so many of them that are buried in hospitals, still on the bottom floor, that kind of stuff. We're going to start to explore the cloud.

It's, there, there are a lot of, there's a lot of things with having things on prem. I think that people like. especially from a disaster recovery standpoint. But there's a lot of downsides, like the fixed cost infrastructure, the agility, as you noted not being able to order equipment.

Sometimes somebody comes to you says we want to do a new compute cycle or whatever. And you have to go. Oh, my God. Well, yeah, we'll have all that equipment in place in 30 days. And they just look at you like 30 days. What are we doing? Does that resonate with you in terms of the conversations?

30 days would be a blessing.

So you don't know what you had there, but it's we're talking six months to a year, maybe 18 months to get so many things put in place in our in our data center. So it's very challenging to make all the machinations work from provisioning racketing. Allowing that equipment to be tested, configured, built, and then transitioning data from one, one to another.

And like you said, Bill the amount of network equipment that needs restored or on a moment I think Cisco this year not throwing anyone under the bus, but everyone's got cost increases. So Cisco changed some of their licensing that forces us to change in a different direction. So, all of that has repercussions to wear and tear on the


All right, Robert, last question for now, and then I'll come back to you because I want to go over to Todd. But moving to the cloud and in light of some of the recent cybersecurity threats, how do you ensure, privacy, security of obviously the patient data is highly sensitive? During and after a transition to the cloud, how are you thinking through The privacy and security concerns of moving to the cloud.

Sure. So, we think of it as the shared responsibility model. So we're using the infrastructure as a service, software as a service, platform as a service. We take those models, we break them down into their pieces and parts. What are they going to consist of as far as, data

encryption, data at rest, data in transit. We would go with a private connection from our data center to the to the cloud. So that we're not using the open internet to connect to those platforms in the cloud. And then we instrument it and we do a full instrumentation where we look at the CrowdStrike element.

We look where CrowdStrike can cover our components our containers, our our different assets. How often is compute spinning up, account changes for IDP and other aspects of that. So we do a full integration and architecture before we do that, and then we. Bring different pieces into the cloud, test them, assess their performance and and continue.

It's fantastic, Todd. I appreciate you coming on the show coming off the DL here. For those who aren't watching on the video, Todd has a sling on recovering from surgery. And we appreciate you coming out to talk to us today. Not that the sling on your arm should impact this conversation at all.

But I do want to ask you, how does CrowdStrike solution specifically address the challenges healthcare organizations have in moving to the cloud?

Oh, thanks, Bill. Yeah. And Robert and I are friends and we've been talking a lot about this. So, happy to be here and be able to talk about these things.

First and foremost, Never have I heard a healthcare, CIO or CISO say, I've got like all the security professionals I need, right? So they're short

staffed. In fact, quite the opposite. Every year they're trying to get just one or two more people, if not 10.

Absolutely. And so they're trying to hold everything together. And, to be honest, the average number of tools that most organizations have, I think the latest numbers that I've seen are somewhere between 60 and 80 cybersecurity tools. So if you look at that and the number of security personnel that they have, it's like, they don't have enough bandwidth to really respond.

In a fast and efficient manner to alerts and investigate things. And so, just right out of the gate, having the same console that can protect your on premise assets that has, a game changing cloud protection aspect to it. Is going to just make them more efficient because the threat hunters are going to be able to use the same console that they use for on premise as for providing protection in their cloud environment.

So that's what we bring is this kind of, consolidation to where you don't have to keep adding more layers to their technology stack. And, then when you get beyond that, you start looking under the covers and you realize, okay, we've got both agent based. Like we have on premise for those workloads that you shift to the cloud so we can install the agent in the OS on those, on a lot of those apps, and we have agentless.

So as a rule of thumb, agentless in the cloud is really going to provide you the visibility and the configuration management that you need. Like, hey, do I have, did somebody leave something open by mistake? There's a lot of cloud breaches that happen because of that. And so, Yeah. Having that visibility and being able to make sure that things are configured properly is really at the top of the list.

And that's what the agentless side of a cloud, workload protection, tool should bring. And that's great. But what we bring to the table is the ability to stop an attack with our agent based approach as well. And so, and some of our competitors are just now getting to add that.

And just now getting that out the door. But, we've had that for quite a while now, and we provide that ability to stop attacks from the same console that you use on premise. And we feel like that's the value we're going to bring to the table.

I want to talk about the unique security requirements that the cloud brings to healthcare.

And Robert, I'll come back to you. And then Todd, I want to talk about how the CrowdStrike, what are the key features that CrowdStrike has? to address those unique security requirements. But before that, Robert, I'd love elaborate on the unique security requirements that come up from using cloud services in healthcare.

Sure. So, so obviously you've got unique data sets. You've got to stay in In alignment with your PCI accreditation on how you're doing your wherever your billing resides, whether it resides in the cloud or WordPress website hosted on prem or third party hosted. So you. Once you expose that to the PCI environment, you're going to have that in your quarterly audit.

There's going to be elements where we look for encryption in databases and such that Microsoft currently offers in Azure. Also thinking about the vendors used to be happy when you would just go to the cloud and host in the cloud too. Compute and store your data on cloud. Now they really want you and push hard for them to use your tools.

I'll say the CrowdStrike platform gives us a multi cloud approach to doing that means during that assessment, because otherwise my teams would be learning the whole Azure stack, and in having to use the different security tools, the different logging tools, et cetera. Now they got to go and take all the same rules, put them in GCP or in RedRef.

This is where I think, LogScale, IVP, and Falcon, along with Overwatch, really help you sort of look at that whole multi cloud approach. So you're not locked into one ecosystem.

So, Todd, Robert just threw out a whole bunch of CrowdStrike specific terms. Can you define those before we go to the question?

Sure. So, yeah, I was thinking about it. Thanks. Thanks. Thanks, Robert. No. So, identity is one of our cornerstones. So, being able to manage your identities. That are both on premise and in the cloud is very powerful. Again, it's extending that protection to wherever your users and your workloads are going to go.

So that's first and foremost. And then, he mentioned did you mentioned Overwatch, right? So Overwatch is a team that it has their back. So in other words, if you're. big enough to have your own threat hunting and to do your own, have your own threat hunters, and to be investigating all of your incidents yourself, then you need a good threat intelligence.

But you also probably want somebody that's like world class threat hunting that has your back, that's just going to keep an eye on everything. And so that's what Overwatch is going to provide, is like, Hey, we're just going to keep an eye on things. We're not going to be actively threat hunting for you.

But when we see something that we know is really noteworthy, we're going to pick up the phone and call you. We're going to execute a run book and we're going to, like, get involved with you to help you stop something because we see something a little bit more significant that's out of the normal, out of the ordinary going on.

So that's what Overwatch does. And then

yeah, Falcon. So the Falcon is just the platform that all these things run on. Of course, if you don't have the bandwidth for your own Threat Hunters, we can manage it for you.

And we can run complete and identify those threats and monitor your environment intensively, 24 by seven with guaranteed response time. So, that's what we bring is the fact that we have this platform that's got all these things, including, threat intelligence that we learned from the tens of millions of endpoints that we're collecting.

Logs and events on a daily basis. So, it's really a whole platform strategy to protecting this extended environment in the cloud.

I'll just have one thing to Todd and probably the other thing that is unique. To CrowdStrike, I think, for us, in a healthcare environment, is some of the best in class tools integrate pretty well.

So, if you have a Medigate, or Order, or some other IoT, which is usually half your environment in the healthcare space, you have one of those tools. Cross strike had some great integrations. There were again, it continues to inform and enrich your view of your environment across the entire enterprise.

And whether enterprise in the cloud or on tram or at a field site, there's just a lot of medical IOT devices that really. Permeate most of these organizations that usually in our setting, we have, multiple hospitals, multiple field over 100 field sites. So we're looking at way more than we are in our space.

So that's where I think, the platform expands beyond itself and incorporates data from some of its partners and the community. Yeah,

and that can't be understated just the ability to have a single platform and start bringing these partners in and getting that. I don't think we'll ever get to a single pane of glass.

But that's the hope, instead of having 40 different systems out there monitoring things. Even if you do have 40 systems, it's bringing it into a central location. I know my team was always inundated with the number of the number of events that they had to try to determine what they were going to go after.

Todd, key features of CrowdStrike distinct and unique? Wow.

Well, back in:

And getting things like the identity platform and building threat intel and and, attack surface management you know what I mean? We've just got so many areas that we that CrowdStrikes expanded to. And so it, it's really just The ability to have a single partner that's going to help you where you have your gaps, where you need more visibility, where you address, your risk register and how you are going to continue to mature your program.

We've got you and we're going to be there to help you expand into those areas. And it's really just about building best in breed modules to extend that visibility out across the platform.

Yeah. I mean, one of the things I love about CrowdStrike is that whole crowd aspect of it. Every day, collecting more and more data, getting smarter every day, not only monitoring healthcare, but you're also monitoring.

A ton of other industries, I think, because not every attack begins in health care, and sometimes we benefit from having those links into other industries as well.

Yeah it's the whole power of the crowd, right? So, it's the crowd in CrowdStrike. And and one of the things that, we bring to the table is not only understanding the adversaries that are going after healthcare, but like you said, it doesn't matter if, an adversary that used to attack finance suddenly like decides to get into healthcare, we still have to be able to protect you.

So, it's having the knowledge of what are the attack cycles and it's interesting. I have a pretty good story that's just very recent. There's this adversary. I don't think we've even named him yet. I think it would be a spider if we were to name him, but it's called Spy Boy and he's selling on the dark web.

This adversary is selling this Terminator antivirus killer and one of the cool things that we started doing about a year ago was adding in not just indicators of compromise into our AI and our threat intelligence from all these, millions tens of millions of endpoints that we're protecting across the globe, but now we're identifying indicators of attack.

So we're moving up the attack cycle and increasing the speed of our AI. And so by doing the indicators of attack, we're actually stopping things quicker. And this. This spy boy is selling this. It's a windows driver attack where basically they can swap out a driver once they get administrative privileges on an endpoint.

And they're saying that none of the EDR MDR AV Tools can stop this and CrowdStrike saw this. Early on. It just came out like a month ago and our AI determined what, that it was not normal behavior and we captured those indicators of attack and immediately share shared it with all of our customers and it didn't get by us right out of the gate.

And so now immediately all CrowdStrike customers were protected from this. from this software being sold on the dark web that is getting by other tools. And so I feel like this whole indicators of attack and the speed that we bring with our intelligence and from the power of the crowd is really valuable and can help healthcare, which is one of the most attacked industries.

 we'll get back to our show in just a minute. Our rural healthcare systems face unique challenges in America. Join us for our upcoming free webinar, Rural Healthcare Challenges and Opportunities, on August 3rd at 1 o'clock Eastern Time. We'll unpack these challenges and look for opportunities for smaller health systems to take the lead in the delivery of care to this underserved population.

PM Eastern Time and:

Robert, I want to talk to you about your staff. It's interesting. One of the, one of the biggest disruptions and mistakes I made as a CIO. Well, it's moving to the cloud and thinking, Oh, the, the staff will just pick up this new set of tools and away they go. There was an awful lot of resistance.

there was resistance back in:

cybersecurity with the cloud and how did you upskill your staff? How did the whole team come along for the cloud journey, if you will?

Great question. And actually I reached out to him and he became a key part of that upskilling and moving forward.

So basically what we did was. Our team had come along and really gotten into our tools. Todd was mentioning there's a lot of tools in our environment. For the cybersecurity side and the IT side, there are quite a few tools that we use. My team is only about 10 in size, and that's on the larger side.

It's from some of the Hotfields that I've spoken with. For cyber op. Anyway, so, what we did was we we said, okay, we've got a sort of organized pivot. So the way I do it is I bring together my team and say, we're going to do a workshop and we're going to say really we build a messaging campaign within the team and say, Hey, that thing you saw, how would that look different in the cloud?

The thing that would sound right. Happen or the pop up or the most just thing that we stopped or the fish. How would that change if we got into the cloud? So it's just opening up the dialogue and getting people think a little different. Then we have a workshop basically focused on the threat to the cloud.

Like, so we're going into the cloud. Where are the threat? How bad is that space? Being pillaged and pwned every day and then. Reminding them the tools that Todd was just speaking to a lot of the tools that CrowdStrike has are mapped to the MITRE framework. So we can take that MITRE framework and say, yeah, you're doing on prem, but taking that same framework into the cloud, that all applies here as well.

So it's not a heavy lift. It's a slight reorientation for them, but there are new skills, new terminology, new ways of doing incident response that we won't have in the future that we need to think about going forward. So that workshop was really focused on threat intel. What are the threats? How are people owning it?

That identity pieces. Even more critical as you get into the cloud, because that's the key, that's the front door key and the bolt lock to let anyone into your environment. So that identity piece in CrowdStrike really helps us. know that when those credentials show up on the dark web, which is Todd was just speaking to, is that almost immediately it's going to make them change their password if their accounts show up out there.

any new roles you had to add to cyber ops as a result of moving to the cloud?

So I took my most advanced person, and I'd like to get at least one or two more people who are focused on cloud because they're the GCP, AWS, and Azure. Are all different cloud, even Oracle, the different cloud. So having someone who can dig in deep and understand the differences would be a great asset to my team.

Whether they were on my team or whether part of a MSSP. You can tackle this challenge a couple of different ways. But the key part is this summer I made that as part of their project. So I got a couple of interns doing it. I think it's good for their career. I've got my lead guy doing it because it's good for him and us.

And one or two or three more people are contributing. But also some Sam's training out there. That's really good. All that's contributing to a project at the end of the summer where we're going to sit there and say these are our initial recommendations as we're getting ready for the cloud to put these measures in place to help us stay protected, whether it's encryption at rest, encryption, transit, connectivity to the cloud, the agent list components, adding those to our tools that Making sure our gap analysis exercise on a twice a year basis is comporting with what the challenges of where we're going and what we're doing.

That's fantastic. Todd, I'd be remiss if I didn't ask this question. We have a lot of health systems that are listening to this that are small, rural. We have some that are listening that are large, academic. Talk about CrowdStrike's approach to the different environments and what you've seen, what have you seen, maybe with the large systems and how they implement CrowdStrike or even the critical access hospital or small rural.

And how they would approach a CrowdStrike solution.

Yeah, it's, it gets really tricky for, the smaller orgs because they just, it's, they just can't scale and have the teams, right? So one of the ways that they can address. The FTE problem is to go with more kind of managed services and for those smaller orgs, like, Robert comes from, a large, larger multi hospital system health system and they're taking the time to methodically build their strategy.

There would

be a lot of organizations that would. would really be excited to have his staff.

Absolutely. Yeah. They're great guys too. I really enjoy working with them, but you know, the smaller hospitals they, they need to have things taken off their plate. Just like here, take care of this for us.

And so that's where, our complete offering we touched on earlier comes in, into play because we're basically going to say, look, just let us run the platform for you. We're going to do the threat hunting. We're going to call you if, if there's, really something major going on, but yeah, we're going to do the threat hunting for you.

24 by seven by three 65. So I was in between. The Robert scenario and the small rural hospital scenario when I was a see so and when I started with the platform, I got somebody all trained up and had him doing the threat hunting. But, he was, he only could work so many hours a week, right?

And he wasn't there on weekends. And then eventually you get somebody that gets really good and they get really trained and what do they do? They usually go find, another gig somewhere else and try to get more money. Right. So It's and so when that happened, it happened to be around the same time as my renewal.

I just went complete because I thought, you know what it's really too hard for me to keep one or two key people just up to speed. And this is too important. So, really being able to have somebody do that threat hunting for you all the time and be able to watch. Both your on-premise and your cloud environment, which is something we offer now, is just really fantastic.

Does the approach change when you get to a large system or is there still that pressure on the staffing? I would think there is. Yeah. I

think that and Robert could speak to this, so go ahead and chime in, but I feel like yes, the pressure's still there, but you can diversify it and people can specialize more.

Scale is always a problem whether you're a small entity or a larger entity, it's you got, what do they say more money, more sites, more problems.

So, more identities.

More identities. That's right. So, yeah it's it's a challenge wherever

you are. All right.

Here's the exit question for the interview. And that's you guys have implemented solutions. You're looking at moving to the cloud security solutions in the cloud. What would you tell somebody? I'm a cio. I'm a CISO for a system. I'm thinking about this, I'm looking at this.

I'm faced with some of the challenges that we've already described. Pressure for staffing. I just lost some key people. But also I don't have a ton of budget either. I've got budget pressure as well. I mean, it's all the normal things that we're hearing in healthcare. What do you, what are you telling them as they move forward?

What are some things they Signposts they should look for things they should consider as they do that. Todd, I'll start with you and I'll let Robert have the last word.

Sure. So I feel like what you're looking for is really a partner that's going to help you adapt that as it evolves. As the adversary evolves, right?

I mean, because these adversaries, they're continuing to evolve and to go places and attack things that didn't used to be attacked before. So what you're looking for is really just a partner to be able to help you to adapt to that environment as it grows. We're talking about cloud and dipping the smaller orgs, dipping their toe in and going to the cloud, right?

So. Yeah, it's like you may start with Azure, but you're also going to want a solution that as the cloud usage grows and we hear that like half of the world's data is going to be in the cloud now and within so many years, I feel like being able to expand to the other clouds and be able to have your tools work in both.

Azure, but also AWS and Google and be able to just protect a multi cloud environment is really important. And so it's this all about this ability to adapt and to protect those things that the adversary is going to go after. And

Robert words of wisdom. from you having been there, done that.

So just trying to get a view on your budget, what you're spending for power, what you're spending for cooling, what you're spending for that space. That is your data center. That is not optimal. It's sitting in closets. It's getting another non conditioned space. You've got water pipes and other things running across your server room.

They're just waiting To blow through a million or 2 million worth of network equipment in the on a bad day. So there's a lot of ways that I think the cloud helps but, and then, and pick, and then take time to pick your partners. Listen to your colleagues out there in the community.

And, like, like Todd was saying you're picking a partner. So, everyone's been along this journey. What I'm doing what I think anyone in my position would do is going out and picking the right partners that are going to A, help you protect, B help you bring your system along and get it to a more solid, more secure state, and three they get along in the ecosystem so that you can maximize your investment.

And your tools and limit your the amount of staff you have to bring on to your own premises so that you can achieve this in an economical way secure economical way.

Oh, fantastic discussion. I want to thank you guys. This is a very relevant topic. I hear more and more health systems, even moving their EHR to the cloud, ERP solutions in the cloud.

It clearly CRM in a lot of cases has moved to the cloud HR. systems, PAX systems. I've even, especially the the V. N. A. S. Have gone to the cloud. I mean, there's so much that is making that migration protecting that for from privacy standpoint, from a security standpoint. is so important.

So I appreciate all the work that you're doing, Robert. I appreciate what CrowdStrike is doing, Todd in helping to secure health care in that past. So, gentlemen, thank you very much for your time. Thank


I love the chance to have these conversations. I think If I were a CIO today, I would have every team member listen to a show like this one. I believe it's conference level value every week. If you wanna support this week health, tell someone about our channels that would really benefit us. We have a mission of getting our content into as many hands as possible, and if you're listening to it, hopefully you find value and if you could tell somebody else about it, it helps us to achieve our mission. We have two channels. We have the conference channel, which you're listening. And this week, health Newsroom. Check them out today. You can find them wherever you listen to podcasts. Apple, Google, overcast. You get the picture. We are everywhere. 📍 Thanks for listening. That's all for now.



More from YouTube